Lost Data - Pay Compensation?!?!

It was on the news today that a memory stick was lost with the details of 130,000 criminals. OK, so we should be used to this by now - the twist in this story was the thought of compensation. What? Firstly, the information has been lost - not compromised (i.e. used), at least it hasn’t yet. Secondly, what about the 25m who’s details were compromised in one go last year? Or the other 4m since then? What about them? What about the 45m TJX customers, or the ones from the other high profile cases - where the data was maliciously stolen (and in some cases used for fraud)? The answer is that there is already process in place for dealing with them. Legislation such as the data breach notification laws (disclosure laws) begin to define what is required - and it’s not to pay out random sums of money. Notification, measures to check credit ratings for 12-24 months and additional customer support all help - and it’s not cheap for the company. I’m not condoning data loss, far from it, there should be no excuse - but let’s not go over the top here.

We don’t want to move to an even more ridiculously litigious society (there was a story of someone delivering letters slipping over on a drive and sueing the owners). With data loss there does need to be some compensation if the data is used (but this tends to come from the banks / credit card companies at present - by default), there is also the need to check credit ratings - to watch if the information is used. But we don’t want to pay out - just for the heck of it.

This also brings up another couple of interesting points… In the US people regularly receive disclosure notices for lost data, but if your data is actuall used, who’s fault actually is it? Was it one from last week, or one from last year - was it one that hasn’t been disclosed yet - because the company doesn’t know they have been breached? Furthermore the long term effects of data loss are unknown at present - if the records of a child are compromised (name, address, NI number - the usual stuff), then at age 16 they can apply for a credit card, or rather a cyber-criminal could… of course, some would have moved by then and the incorrect data might be picked up… but it might not. What happens in this case - where fraudulent actions can take place more than a decade after the data loss occurred.

Perhaps it is time for banks and credit card companies to offer ‘free’ credit rating checks as part of their service - all the time? It’s also time for companies to stop thinking ‘it won’t happen to us’ and make the changes so they don’t become front page news - and perhaps subject to a massive compensation claim.

August 22, 2008 | Filed Under Regulation, data-loss 

comments

3 Responses to “Lost Data - Pay Compensation?!?!”

  1. j on August 22nd, 2008

    Whilst one entirely agrees with the ‘no compensation’ aspect of the article, nevertheless there does need to be a system of statutory penalties (fines) for the offending organisation. Let us not forget that governement bodies have special status

    Fines are a necessary evil to penalise these organisations and ensure that they themselves are accountable for any data loss. These fines should be on a ‘per record’ (say £100 per item) basis and levied against the offending organisation - they could also be used to offset any future litigation arising for subsequent misuse of the lost data.

    In fact to take the whole matter one step further let us make this an insurable requirement. Therefore in the future no government contacts should be awarded without the company concerned demonstrating they have adequate insurance cover. This requirement will in itself be self regulating because those companies who have an historic record of data loss will suffer increased premiums and therefore may withdraw from the market

    After all, in another context, no small contactor (one man tree surgeon) will be awarded County Council contacts unless they can show they have £10 million public liability insurance in place

  2. Guy Bunker on August 22nd, 2008

    There does need to be a penalty, but it should be ‘fixed’ as part of the legislation - rather than on some ad hoc basis. Some fines are already levied by various bodies on companies who are careless with data, it certainly isn’t all of them. That could of course change with legislation. It also must apply to governments and government departments who, so often, seem to be exempt from these types of charges…

    The idea of it being an insurable requirement is a good one - including 3rd party data handlers (40+% of data loss happens through 3rd parties).

  3. One Small Memory Stick… £1.5M… : View From The Bunker on September 10th, 2008

    […] government today cancelled the contract with the 3rd party who lost data on a memory stick. The cost of the contract… £1.5m. They are also reviewing other contracts held with that […]

Leave a Reply